Sparks over US power grid cybersecurity

Security? What Security!

A new measure aims to protect the networks that control electric power distribution throughout North America. But not everyone is juiced over plans to hold utilities accountable to tight security practices, says Kevin Poulsen, of SecurityFocus.

The organization responsible for keeping electricity flowing throughout the United States and Canada took its first serious step this week to shoring up cybersecurity on the Byzantine computer networks that control electric power distribution.

That portions of the power grid are vulnerable to hack attack has been known since at least 1997, when a six month vulnerability assessment by the White House's National Security Telecommunications Advisory Committee found basic security flaws in the computerized systems that control generators, switching stations and electrical substations.

Among other things, the committee reported that operational networks controlling critical portions of the grid were accessible through electric companies' corporate LANs; some digital circuit breakers could be remotely tripped by anyone with the right phone number; and fixed passwords for remote vendor access went unchanged for years.

Despite the vulnerabilities, the report noted that physical attacks against utilities pose a greater threat than cyber attacks, and years later there are still no known cases of hackers causing service outages. But closing the cybersecurity holes in "critical infrastructures" took on new urgency after September 11, and the Federal Energy Regulatory Committee (FERC), which regulates the electric industry in the U.S., began talking about imposing security requirements on power companies.

Not surprisingly, the power companies prefer to regulate themselves. On Wednesday, the North American Electrical Reliability Council (NERC) unveiled a proposed mandatory security standard for the electric industry. A not-for-profit group that umbrellas electric utilities in the U.S. and Canada, NERC formed in the wake of the catastrophic 1965 blackout that knocked-out power to 30 million people in the northeastern United States. Its mission is to keep the lights on.

Based on the same broad standards that the government was contemplating, the NERC security rules -- which will face a vote in May -- aren't exactly revolutionary: companies would have to launch cyber security training programs, write security policies, identify their critical "cyber assets," etc... But electric workers say that making the rules an official standard changes everything for the 100-year-old industry. "That's a big deal -- to be the NERC standard," says David Norton, a cyber security consultant to the industry. "They've added requirements for compliance monitoring, with sanctions for noncompliance."

That worries Kenneth Hooper, a protection engineer at NB Power, an electric company serving the Canadian province of New Brunswick. He says mandatory continent-wide security measures are too blunt an instrument for the job. "We feel that security is an issue, but each area should be allowed to address it as they see fit," says Hooper. "Our security issues are not nearly as great as Boston or New York, or one of the major load centers like that."

Risk Management

Hooper isn't worried about the language of the new standard so much as what will replace it. Under NERC's bylaws, the emergency measure setting the rules will expire two years after passage, and the group has promised regulators that a more specific security standard will be in place before then. No one knows what that will be, but a parallel NERC effort has drafted a new official, but non-binding, cybersecurity "guideline" that Hooper says is a likely candidate to become the next standard.

The draft guideline offer a much more detailed prescription for curing the power grid's security ills: "Set dial-out modems to not auto-answer," reads one pointer. "Automatically lock accounts or access paths after a preset number of consecutive invalid password attempts," suggests another.

"All of the new products that we use these days are microprocessor controlled and they have serial ports on them, so they can be accessed remotely by modem, and also by an intranet connection over Ethernet," says Hooper. "So some of these things would impact us, like rotating passwords, and some of the things mentioned in the guide... Who want to have their company's name being published all over the world as being noncompliant with a NERC standard?"

Shouldn't equipment that controls the flow of electricity at least have its passwords changed periodically, as suggested by the guideline? Hooper says it's a matter of risk management -- even if a malicious hacker gained access to his company's systems, the attacker wouldn't be able to cause any problems that the utility isn't prepared for anyway. "Say that someone hacks into some of my protecting relays, and makes it so it could trip when it shouldn't trip," says Hooper. "We already live with that risk of happening every day, so we have things in place that mitigate the impact."

Norton agrees that there are downsides to the measure -- for one, he says some power companies will have trouble paying for the cyber security enhancements. "They'll need to go to some government agency and build a case for why consumer rates need to go up." For that reason, he believes that rural and municipal utilities should be given extra time to implement the security standard, and its eventual sequel, before facing sanctions.

But Norton also describes the power grid's fractal network of interdependent systems. "There's incredibly variety of equipment, generationally, vendor-wise, because it's kind of been cobbled together as neighborhoods get bigger," he says. "You've got increasingly sophisticated control centers and increasingly sophisticated microprocessor-controlled equipment, and linking them are unencrypted 1200-baud lines."

An industry drive to make that tangled web more secure is long overdue, he says. "The alternative is to the have the NSA and NIST, or somebody who manages rates, FERC, basically coming in without really understanding what the electric power business is all about."